Java Security Vulnerabilities

I keep getting warnings on my screen that I need a Java software update, but I'm not sure if this is safe to do, or if I really need it. Will I be more vulnerable to security threats if I keep ignoring these popups?

Is Your Java Software Secure?

Just like in a good mystery, the culprit is always the last one you suspect. Most people think spam is the biggest threat to their online security; actually, the volume of spam is declining worldwide and spam filters do an excellent job. Last year, Adobe PDF files made headlines for a security hole that left anyone who read a PDF open to identity theft. But hackers actually launched 3.5 times more attacks against holes in another, unassuming program that is probably installed on your computer right now.

The Java Runtime Environment (JRE or just "Java") is a free add-on program available from Sun Microsystems. It enables the execution of Web applications written in the Java programming language. Java is widely used by Web developers because it is platform-independent - meaning that Java apps will run on any operating system, even mobile operating systems such as Android or Windows Mobile. It is likely that your Web browser prompted you to download and install Java shortly after you began surfing the Web.

Most people install Java and then forget about it. The JRE does not load unless it is needed and it does its work invisibly. To see if Java is installed on your Windows PC, check the list of installed programs in the Add/Remove Programs area of Control Panel. You might see more than one version of Java installed, and that is part of the problem.

Updates, including security patches, for Java are made available several times per year. You may see a notification balloon saying that a Java update is available and asking permission to install it. Many people don't install Java updates because a) they don't recall what Java is; b) things seem to be working fine without any update; and c) downloading and installing the update takes time.

How to Keep Your Java Software Updated

But you really should install Java updates as soon as they become available. Updates are most often issued to close security holes that leave your computer vulnerable to hackers. In April, 2010, a serious leak in Java was discovered that would allow hackers to completely take over an exploited PC. The hole was patched in a Java update. Did you get it?

Unfortunately, that was the last Java vulnerability and update that got much mainstream press coverage. Java isn't "news" like Windows, whose routine monthly updates are hard to miss in the computer press.

Another security issue with Java seems to be sloppy programming of the update installer. Two issues have been identified. Sometimes a Java update reports to the user that it has been successfully installed when, in fact, it hasn't been installed. Another glitch is the Java installer's tendency leave older versions of Java installed even when the latest update has been installed successfully. The older version is still vulnerable to hacker attacks.

To protect yourself against Java exploits, go to the Java site and verify your Java version number. This will tell you if the latest version of Java is installed, and prompt you if you need to uninstall any older versions of Java. To remove an old version of Java on Windows 7 or Vista, click on Start / Control Panel / Programs / Uninstall. On Windows XP, click on Start / Control Panel / Add/Remove Programs.

Moving forward, always take the time to install a Java update when it is offered. And afterwards, check to see if any outdated versions need to be removed.

Do you have something to say about Java security vulnerabilites? Post your comment or question below...

Most recent comments on "Java Security Vulnerabilities"

Posted by:
Jason
04 Feb 2011

I also recommend disabling Java in your browser because of the amount of attacks on it (it's the number one way of getting malware on your system if it's not updated).

Look for the add-ons section of your web browser or try typing about:plugins in the location bar) if you don't believe you need it. If after disabling it, all your applications seem to work fine, then you can safely uninstall it. If something doesn't work, you can just re-enable it and no harm done.

It's really not needed to the same extent it once was (when almost every Internet app was Java-based).

Secunia PSI is also a good way of keeping track of programs including Java that need security updates.

http://secunia.com/vulnerability_scanning/personal/

Posted by:
mack
05 Feb 2011

what ver. of PDF do i need what one i don,t need?

Posted by:
duane
05 Feb 2011

Thanks, this was five times helpful for me.

Posted by:
Chris
05 Feb 2011

Hi Bob,

You're spot on with this article.

Sun (well, Oracle now) are very sloppy in not removing old versions. This is done automatically by other programs such as Firefox, CCleaner, etc., so what's Java's excuse?

Java also installs itself as "Java Console" in Firefox and old versions can be seen there if you click on Tools | Add-ons | Extensions.

Unfortunately, the "Uninstall" option is sometimes greyed out on the old versions and you can only disable the old version. Any idea why this could be?

Chris

Posted by:
chesscanoe
05 Feb 2011

Another Java problem is it can be silently embedded with another installed program, and thus is not listed in Add - Remove programs. I have such an application installed on my PC, and while the Java I otherwise have installed is current on my PC, the embedded Java provided as part of the application never gets updated unless updated by the application owner, which has not happened to date.

Posted by:
kds
05 Feb 2011

Thanks Bob - another great article! So, what about all those other updates? Windows, Internet Exploreer, Firefox, Acrobat, security, etc. - How is one to know if all these are important? Isn't it safe to say that if your system is running these things and it wants to update them, then one should install the updates? This will insure that the latest patches and upgrades have been made and vulnerablities minimized.

Posted by:
Gloria
05 Feb 2011

I have the old version of Java installed, but when trying to uninstall it, receive message that I do not have system administrator permission to uninstall. I am the only user so am I not the system administrator? How do I uninstall this possibly harmful old Java program?

Posted by:
Walt Conlon
05 Feb 2011

Very helpful. I had an Trojan Downloader that Microsoft Essentials could not clear. After reading this article I checked my JAVA version and it was "06". I installed the new version of JAVA and removed the old version and it appears that the problem is fixed.
Thanks for the great tech letters.

Walr Conlon

Posted by:
Ann
06 Feb 2011

I followed your advise and installed the Java updates when I restarted my computer I got the dreaded "Blue Screen"!!! This is the second time this has happened to me after updating Java. I no longer have Java installed on my computer....

Posted by:
Joe Harold
06 Feb 2011

@Gloria--I am also the only user of my PC. I have 2 accounts: (1)Standard User--which should be used for just about everything, especially on-line work-- and (2)Administrator--which is needed for system maintenance like installing/removing software.

There are 3 ways to "be" an Administrator:
1)As a Standard User, you can "borrow" Administrator privileges through those User Account Control boxes that pop up (since Vista) which ask you for Admin's password. You don't need to invoke them as they pop up automatically when required.

2)You can right click on a program's icon or name and select "Run as Administrator" from the list. (I'm not sure if this method works for updating/uninstalling Java)

3)Switch to your Administrator account directly and do the uninstall from that account. To do this:
Open your Start Menu and slide your pointer to the right along the bottom of the Start Menu so that you hover over the right pointing arrow. This will bring up a few shutdown options, including Switch User. Click it and provide your Admin's password.
You should be able to do your uninstall that way.
Good luck,
Joe

Posted by:
C Wolfe
09 Feb 2011

Thanks, Bob, for a most helpful article. I hadn't been experiencing any noticeable problems but found that I did indeed have two versions of Java, #7 and #23. Please note the the Verify page found the #23 version but not the #7. I uninstalled the #7 version.

My main tactics for prevention include updating security patches, not adding anything to this computer except OpenOffice and several browsers, not downloading IE8, using IE7 only for MS security downloads, configuring a browser other than IE as the default browser, buying an AV program in a store once a year and updating it manually, not permitting automatic downloads and using all the standards email mechanisms. And, of course, reading Bob Rankin's newsletter which has long kept me abreast of all I need to know.

Keep up the good work!

Posted by:
Pete E
09 Feb 2011

The easiest "update management method" I know is to use SECUNIA software. Run Secunia at regular intervals, (bi-weekly) and it will tell you which of your programs need to be updated, where to get the updates from, and in many instances, update them for you. and its FREE.

Posted by:
Dolores
10 Feb 2011

Thank you for an informative article. I immediately clicked the link and was pleased to learn that I had the latest update. I will share this with my not so savvy friends.

Posted by:
Dave
12 Feb 2011

A useful tool for removing older versions of java is JavaRa.
Website and download link:
http://raproducts.org/wordpress/software

I've been using it since it first came out and love it.

Post your Comments, Questions or Suggestions

* Name:
* Email:
(* = Required field)

(Your email address will not be published)

Comments: (you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! Comments of a political nature are discouraged. Please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are reviewed, and may be edited or removed at the discretion of the moderator.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.